Skip to content

Commit

Permalink
[NETFILTER]: Fix ip6t_policy address matching
Browse files Browse the repository at this point in the history 
Fix two bugs in ip6t_policy address matching:
- misorder arguments to ip6_masked_addrcmp, mask must be the second argument
- inversion incorrectly applied to the entire expression instead of just
  the address comparison

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Patrick McHardy authored and David S. Miller committed Feb 5, 2006
1 parent e55f1bc commit 878c41c
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions net/ipv6/netfilter/ip6t_policy.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,9 @@ MODULE_LICENSE("GPL");
static inline int
match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e)
{
#define MATCH_ADDR(x,y,z) (!e->match.x || \
((ip6_masked_addrcmp((z), &e->x, &e->y)) == 0) ^ e->invert.x)
#define MATCH_ADDR(x,y,z) (!e->match.x || \
((!ip6_masked_addrcmp(&e->x, &e->y, z)) \
^ e->invert.x))
#define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x))

return MATCH_ADDR(saddr, smask, (struct in6_addr *)&x->props.saddr.a6) &&
Expand Down

0 comments on commit 878c41c

Please sign in to comment.